- Attackers targeted the PraisonAI vulnerability within 3 hours and 44 minutes of its public disclosure on May 11, 2026.
- The flaw, CVE-2026-44338, is a missing authentication bug that allows unauthenticated access to sensitive API endpoints and workflow triggers.
- The vulnerability affects versions 2.5.6 through 4.6.33, with a patch available in version 4.6.34.
Threat actors rapidly began exploiting a critical security flaw in the open-source PraisonAI framework, with the first attack attempts occurring less than four hours after public disclosure in May 2026. The vulnerability exposes unsecured API endpoints, allowing unauthorized access to core system functions.
Identified as CVE-2026-44338, this flaw stems from a legacy Flask API server shipping with authentication disabled by default. According to an advisory, this lets any caller access the `/agents` endpoint and trigger workflows via `/chat` without a token.
Consequently, attackers can enumerate agent configurations, consume API quotas, and expose the results of AI runs. The impact, however, ultimately depends on what the operator’s configured workflow is permitted to do.
Sysdig reported that a scanner probing for the flaw originated from IP address 146.190.133[.]49. This activity followed a profile of two scanning passes targeting generic paths and then specific AI-agent surfaces.
The probe confirming the bypass was a single GET request to `/agents` with the User-Agent “CVE-Detector/1.0.” “That request returns 200 OK… confirming the bypass was successful,” Sysdig said.
Meanwhile, the maintainers of PraisonAI have patched the issue in version 4.6.34. Security researcher Shmulik Cohen is credited with discovering the vulnerability.
This incident exemplifies a growing trend where exploits are weaponized almost immediately after disclosure. Consequently, organizations must patch urgently and audit deployments for suspicious activity.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
